networking

bluetooth

hardware

  • router: connects subnets and translates addresses
    • routers dont allow broadcasts between subnets
  • hub: sends packets to all ports
  • switch: sends packets to the one (physical) port where the recipient of the packet is
    • cam table - maps mac addresses to (physical) ports in a switch
      • how does it build it? laptop sends out dhcp request with source mac address, and switch sees it and adds it to cam table
    • If you mac flood a switch (overflow the cam table), it changes to hub mode
    • switch is layer 2, doesnt care about ip addresses
  • access point: like a hub, but wiresless. the packets get forwarded to every device (since you can't send waves to just one device), your computer knows to ignore packets thats not for you
    • unless you put your network card in promiscuous mode

mac Spoofing is a thing.

7-layer model

1 - physical (802.11, 802.3)

2 - link

  • ethernet, tokenring, arp [frame]
    • DST MAC (6bytes), SRC MAC (6), TYPE (2)
    • destination first so you know if it's for you or not (unless you're in promiscuous modes)
    • ethernet can go over any physical thing
    • broadcast address is all 1s: all =f=s or 256
    • ARP=/=RARP (reverse)
      • PHY ADDR (6) (DST, SRC), LOG ADDR (4) (DST, SRC), OPCODE
        • PHY - MAC
        • LOG - IP
      • only fill in 3 fields
      • ARP poisoning - continually send out packets
        • tell victim that you're the gateway
        • tell gateway that you're the victim
        • avoid this by only listening to the dhcp port (or set it manually if no dhcp
      • arp -a=/=ip neigh(bor)

3 - network

  • ip, ipv6 [packet]
    • ip packet
      • Header: SRC IP, DST IP, TTL, Length, Frag, Proto, Checksum, Header Length
        • Frag: fragmentation
        • Proto: protocal tells you whether it's ICMP, TCP, etc.
        • Header Length: you multiply it by 4 (which is why it needs to be in multiples of 4)
          • ipv4 header must be at least 20 bytes, can be more in multiples of 4, adding on additional options fields
        • TTL: different for every operating system
    • traceroute
      • windows: ICMP echo request
      • mac: UDP
      • linux: TCP
    • ICMP
      • used for error reporting
      • has no port, since ports are used to tell what process to send it to. icmp just gets sent to the kernel.

4 - transport

  • icmp, tcp, udp
    • tcp packet
      • SYN, SYN/ACK, ACK (could also be SYN, SYN, ACK, ACK)
      • other flags: RST clear this from your connection table, FIN at the end of the whole session to stop, URG urgent, PSH sending unrequested data
    • header: Length, Checksum, DST Port, SRC Port, Seq number, Flags (not in that order)
      • Checksum is a bit operation that has more collisions than a hash. very fast to do on hardware

5 - session

  • rpc, netbios

6 - presentation

  • tls/ssl [ssl = tlsv1]

7 - application

  • http

protcols

dns

  • dig - a dns tool

    general use

    → dig alex-bellon.com
    ; <<>> DiG 9.14.6 <<>> alex-bellon.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64475
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;alex-bellon.com.       IN  A
    
    ;; ANSWER SECTION:
    alex-bellon.com.    3600    IN  A   216.239.32.21
    alex-bellon.com.    3600    IN  A   216.239.36.21
    alex-bellon.com.    3600    IN  A   216.239.34.21
    alex-bellon.com.    3600    IN  A   216.239.38.21
    
    ;; Query time: 28 msec
    ;; SERVER: 128.83.185.41#53(128.83.185.41)
    ;; WHEN: Tue Nov 12 17:51:32 CST 2019
    ;; MSG SIZE  rcvd: 108
    

    Shorter Answer

    → dig +short alex-bellon.com
    216.239.36.21
    216.239.38.21
    216.239.32.21
    216.239.34.21
    

    Nameserver Details

    → dig ns +short alex-bellon.com
    ns-cloud-a1.googledomains.com.
    ns-cloud-a3.googledomains.com.
    ns-cloud-a4.googledomains.com.
    ns-cloud-a2.googledomains.com.
    

    Use a different DNS server

    → dig alex-bellon.com @1.1.1.1
    

    Reverse DNS Lookup

    → dig -x 8.8.8.8
    

    source

tools

  • awesome-waf - everything awesome about web-application firewalls (waf)
  • brim - desktop application to efficiently search large packet captures and zeek logs.
  • broxy - an http/https intercept proxy written in go.
  • iprepd - centralized ip reputation daemon
  • iptables
  • milkman - a request/response workbench
  • ngrok - ngrok is a reverse proxy that creates a secure tunnel from a public endpoint to a locally running web service. ngrok captures and analyzes all traffic over the tunnel for later inspection and replay.
  • opensnitch - host-based application firewall
  • ptunnel - tunnel connections through https proxy
  • ptunnel-ng - tunnel tcp connections through icmp
  • ssl configuration generator

vpn

vpn tunneling

  • zerotier
    • zerotier allows you to directly connect from your machine to another remote machine on another network, and it "punches through" firewalls, nats, etc. to make a direct connection. you are given a 10 digit zerotier address for your node, and in order to connect to other networks you need its corresponding 16 digit network id. this allows you to create mesh networks across a bunch of machines and networks.
    • zerotier linux gui